No description
- Rust 74.5%
- HTML 15.3%
- JavaScript 7.3%
- CSS 1.5%
- Python 1.3%
- Other 0.1%
8e46f80d89
All checks were successful
Build & Test / check (push) Successful in 1m57s
User-facing doc updates across README.md, CLAUDE.md, docs/setup.md,
docs/configuration.md, crates/hero_router/docs/{architecture,faq,overview}.md
and the embed README + internal doc comments:
* Replace `--port` / `--address` / `--ui-port` examples with `--bind` form.
* Document the four-step bind discovery chain
(HERO_MYCELIUM_IP env → hero_cfg.toml → br-$USER scan → 127.0.0.1).
* Note the legacy flags are still accepted but hidden from --help.
* Drop the "TCP localhost only" claim — that's now the discovery fallback,
not the default.
Test harness:
* crates/hero_router_test/src/main.rs:221 — switch from
`--port <n>` to `--bind :<n>` (loopback shorthand). The harness's own
`--port` CLI arg is unchanged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .forgejo/workflows | ||
| .hero | ||
| _archive/teststability | ||
| crates | ||
| docs | ||
| .gitignore | ||
| Cargo.lock | ||
| Cargo.toml | ||
| Cargo.toml.hero_builder_backup | ||
| CLAUDE.md | ||
| PURPOSE.md | ||
| README.md | ||
Hero Router
The single TCP entry point for all Hero services. Scans Unix sockets, routes HTTP traffic by URL prefix, provides service discovery, documentation, and an MCP gateway.
Quick Start
lab build --start
By default hero_router serve auto-detects the user's mycelium IPv6 (or
falls back to 127.0.0.1) and binds port 9988. Open the admin dashboard
at the URL printed in the startup banner (tcp : http://…:9988).
Architecture
Internet / Browser / hero_proxy
│
:9988 (TCP — mycelium IPv6 if available, else loopback)
│
hero_router
├── /{service}/rpc/* → {service}/rpc.sock
├── /{service}/admin/* → {service}/admin.sock
├── /{service}/{web}/* → {service}/web_{name}.sock
├── /rpc → management API
├── /mcp → MCP gateway
└── /admin → admin dashboard (same port)
│
Unix sockets (auto-discovered)
~/hero/var/sockets/
hero_compute/rpc.sock
hero_compute/admin.sock
hero_proxy/rpc.sock
hero_proc/rpc.sock
...
Features
- Auto-discovery — scans
$HERO_SOCKET_DIR/for service sockets - URL prefix routing —
/{service}/{socket_type}/*stripped and forwarded - Header injection —
X-Hero-Context,X-Hero-Claims,X-Forwarded-Prefix - MCP gateway — exposes services as MCP-compatible tools for AI agents
- Admin dashboard — interactive web UI with service status
- CLI —
list,scan,spec,markdown,htmlsubcommands - Documentation generation — Markdown and HTML from OpenRPC specs
Crate
| Crate | Type | Description |
|---|---|---|
hero_router |
binary + library | Single binary with CLI, server, admin UI, and core library (herolib_router) |
All crates were consolidated into a single binary in v0.2.0.
Sockets
All sockets under $HERO_SOCKET_DIR/hero_router/ (default: ~/hero/var/sockets/hero_router/).
| Socket | Protocol | Description |
|---|---|---|
rpc.sock |
JSON-RPC 2.0 | Management API |
admin.sock |
HTTP | Admin dashboard |
Ports (TCP)
| Port | Description |
|---|---|
| 9988 | Routing entry point + admin dashboard (default; bind address auto-detected — see Configuration) |
Documentation
- Configuration — Environment variables and CLI flags
- API Reference — JSON-RPC management API
- Architecture — Routing, discovery, and request flow
- Setup — Installation and deployment
- Releasing — How to create a new release
Development
Use lab for all lifecycle operations:
lab build --start # build, install, and start all service binaries in this repo
lab build --stop # stop all
lab build --status # check status
Security
- The default bind is the per-user mycelium IPv6 (or
127.0.0.1when no mycelium signal is found) — see Configuration. - Override with
--bind ADDR:PORT(repeatable) orHERO_MYCELIUM_IP. - Use hero_proxy for external/TLS access.
Admin UI whitelist (optional)
When hero_router is exposed on a non-loopback address (e.g. the mycelium IPv6 of the host), the admin UI can be locked to specific source IPs. The whitelist is stored as a hero_proc secret — no config files.
- Storage: hero_proc secret
core/ADMIN_SECRETS, value is a comma-separated list of IP addresses (IPv4 or IPv6). - UDS (
admin.sock) always bypasses — local tooling over the Unix socket is trusted. - Fail-open: if hero_proc is unreachable, or the secret is missing/empty, the feature is disabled and all TCP connections are allowed. This keeps hero_router usable when the supervisor is down.
- Fail-closed only when configured: once
ADMIN_SECRETScontains at least one valid IP, every non-matching TCP connection is silently dropped at accept time — no HTTP response, just a closed socket. - Refresh: the running process re-reads the secret every 60 seconds, so CLI edits propagate without a restart.
- Same pattern applies to any Hero admin interface that wants whitelisting — read/write this one secret.
Manage from the CLI:
hero_router access list # show current whitelist
hero_router access add 10.0.0.5 # add an IP (switches enforcement on)
hero_router access remove 10.0.0.5 # remove a single IP
hero_router access clear # delete the secret (reverts to open access)
Pass --context <N> to any subcommand when operating a non-default context.
Or manage from the dashboard: open Admin in the top navbar (or go to
/admin). The page shows your current source IP, the active whitelist, and
buttons to add/remove/clear entries.